One Device Intermittently Unreachable - IPSec VPN

pdvcisco · ‎02-22-2013

For an IPSec Point-to-Point VPN there is one device that becomes unreachable (cannot ping or other). The divice is pingable from the LAN at all times. How can I make this device reachable at all times? Below is more detail.

Thanks,

Dan Foxley

To temporarily resolve the issue (+- 5 minutes) (there may be others) is to 'clear arp' on the local VPN router.
VPN is from PIX 6.3(5) (Far end) to IOS Version 12.3(8r)T7 (Local Side)
Device that becomes unreachable is a Netgear switch.
'show arp' on the IOS (local side of the VPN) still has a valid entry for the device WHEN it becomes unreachable on the far end.

192.168.10.8 000f.b53e.ce01 (This is the same MAC when pinging on the local subnet)

When doing a tracert on the remote end, when the device in not reachable, I notice the hop count goes to 27 before giving up, vs. when it is reachable the tracert take two hops.

IOS VPN Commands (Local Side)

access-list 138 remark PDVCA-To-Sungard

access-list 138 remark CCP_ACL Category=4

access-list 138 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 138 permit ip 192.168.10.0 0.0.0.255 host 192.168.4.16

!

crypto map 3377 1 ipsec-isakmp

set peer 66.XX.XX.XX

set security-association lifetime kilobytes disable

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 138

!

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 3 periodic

!

crypto ipsec security-association idle-time 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

PIX VPN Commands (Remote End)

access-list ipsectraffic_pdvcorp-ca_pstn permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list ipsectraffic_pdvcorp-ca_pstn permit ip host 192.168.4.16 192.168.10.0 255.255.255.0

sysopt connection permit-ipsec

sysopt noproxyarp PDVInflow

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map mymap 25 ipsec-isakmp

crypto map mymap 25 match address ipsectraffic_pdvcorp-ca_pstn

crypto map mymap 25 set pfs group2

crypto map mymap 25 set peer 184.XX.XX.XX

crypto map mymap 25 set transform-set ESP-3DES-SHA

crypto map mymap 25 set security-association lifetime seconds 86400 kilobytes 4608000

crypto map mymap 35 ipsec-isakmp

isakmp identity address

isakmp keepalive 10 3

isakmp nat-traversal 20

isakmp policy 80 authentication pre-share

isakmp policy 80 encryption 3des

isakmp policy 80 hash sha

isakmp policy 80 group 2

isakmp policy 80 lifetime 86400

isakmp policy 110 authentication pre-share

isakmp policy 110 encryption 3des

isakmp policy 110 hash sha

isakmp policy 110 group 2

isakmp policy 110 lifetime 28800

jawad-mukhtar · ‎02-22-2013

If Netgear Switch is Managed then check is there any defaut gateway present. If not enter default Gateway of ASA Interface IP.

Jawad

pdvcisco · ‎02-22-2013

Jawad,

Thanks for the reply. I double checked, the Netgear switch does have the default gateway populated. Good suggestion, sometimes the basics can be missed.

Dan

jawad-mukhtar · ‎02-22-2013

Well I have been facing such issue with devices like Netgear etc.. Nothing is wrong with your config. For Safe Site you can add a cisco Switch and then monitor it.

Jawad

pdvcisco · ‎02-23-2013

Jawad,

I'm not sure why then the Netgear Switch has no issue with Ping(other) from the local subnet. How could the Netgear only display this issue if over a VPN, if it is an issue with the Netgear switch?

(Off Topic: But that makes me think, the monitoring software has a remote network agent collector option, which can sit on the local LAN and send data to the remote side).

ALIAOF_ · ‎02-22-2013

Is that the only device you can not reach when this happens? Have you tested if there may be other devices you are unable to reach as well?

pdvcisco · ‎02-23-2013

Mohammad Ali, (Great name BTW!)

SimilariIy, I monitor a dozen or more devices over this VPN on this remote subnet that the Netgear switch is on, and only the Netgear has the issue.

malshbou · ‎02-22-2013

Hi,

you have PFS enabled at the PIX, but not enabled at the router.

PIX: crypto map mymap 25 set pfs group2

did you pay attention to this ? this can cause issues as the peers won't match in phase2 rekeying.

HTH

Mashal

------------------ Mashal Shboul

Shirshendu Nandi · ‎02-23-2013

try issue one command to the interface connected to netgear switch arp timeout 30 .See it this resolves your issue

pdvcisco · ‎02-26-2013

Mashal,

Thanks for catching this mis-configuration where I was only using PFS one side. Although unrelated, see separate reply (I had a VLAN issue). I've corrected this.

pdvcisco · ‎02-28-2013

Well, I'm all wet. This is not a VPN issue, but an issue with the local subnet router (where the remote host pings the Netgear from). I "assumed" it was a VPN issue because I can ping it from hosts on the local subnet. The local subnet router can't ping the Netgear. There are some ARP debug entries that let me know, I've got a VLAN / ARP, other issue. Thanks for you responsive help. I'll open a new discussion in a more appropiate group on the the supportforums.

470292: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/1

470293: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/0.6

Dan